fix: remove db password from logs (#89)

* fix: remove db password from logs

* fix: mask db password

* fix: Add tests

* fix: Add more tests

* fix: PR changes

CHANGELOG.md

@@ -7,6 +7,10 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [5.0.6] - 2024-01-25
+
+- Fixes the issue where passwords were inadvertently logged in the logs.
+
 ## [5.0.5] - 2023-12-06
 
 - Validates db config types in `canBeUsed` function

build.gradle

@@ -2,7 +2,7 @@ plugins {
     id 'java-library'
 }
 
-version = "5.0.5"
+version = "5.0.6"
 
 repositories {
     mavenCentral()

src/main/java/io/supertokens/storage/mysql/config/MySQLConfig.java

@@ -509,10 +509,18 @@ public String getConnectionPoolId() {
         StringBuilder connectionPoolId = new StringBuilder();
         for (Field field : MySQLConfig.class.getDeclaredFields()) {
             if (field.isAnnotationPresent(ConnectionPoolProperty.class)) {
-                connectionPoolId.append("|");
                 try {
-                    if (field.get(this) != null) {
-                        connectionPoolId.append(field.get(this).toString());
+                    String fieldName = field.getName();
+                    String fieldValue = field.get(this) != null ? field.get(this).toString() : null;
+                    if(fieldValue == null) {
+                        continue;
+                    }
+                    // To ensure a unique connectionPoolId we include the database password and use the "|db_pass|" identifier.
+                    // This facilitates easy removal of the password from logs when necessary.
+                    if (fieldName.equals("mysql_password")) {
+                        connectionPoolId.append("|db_pass|" + fieldValue + "|db_pass");
+                    } else {
+                        connectionPoolId.append("|" + fieldValue);
                     }
                 } catch (IllegalAccessException e) {
                     throw new RuntimeException(e);

src/main/java/io/supertokens/storage/mysql/output/CustomLayout.java

@@ -20,7 +20,7 @@
 import ch.qos.logback.classic.spi.ILoggingEvent;
 import ch.qos.logback.core.CoreConstants;
 import ch.qos.logback.core.LayoutBase;
-import io.supertokens.storage.mysql.Start;
+import io.supertokens.storage.mysql.utils.Utils;
 
 import java.text.DateFormat;
 import java.text.SimpleDateFormat;
@@ -58,7 +58,7 @@ public String doLayout(ILoggingEvent event) {
         sbuf.append(event.getCallerData()[1]);
         sbuf.append(" | ");
 
-        sbuf.append(event.getFormattedMessage());
+        sbuf.append(Utils.maskDBPassword(event.getFormattedMessage()));
         sbuf.append(CoreConstants.LINE_SEPARATOR);
         sbuf.append(CoreConstants.LINE_SEPARATOR);
 

src/main/java/io/supertokens/storage/mysql/output/Logging.java

@@ -37,10 +37,10 @@ public class Logging extends ResourceDistributor.SingletonResource {
 
     private Logging(Start start, String infoLogPath, String errorLogPath) {
         this.infoLogger = infoLogPath.equals("null")
-                ? createLoggerForConsole(start, "io.supertokens.storage.mysql.Info")
+                ? createLoggerForConsole(start, "io.supertokens.storage.mysql.Info", LOG_LEVEL.INFO)
                 : createLoggerForFile(start, infoLogPath, "io.supertokens.storage.mysql.Info");
         this.errorLogger = errorLogPath.equals("null")
-                ? createLoggerForConsole(start, "io.supertokens.storage.mysql.Error")
+                ? createLoggerForConsole(start, "io.supertokens.storage.mysql.Error", LOG_LEVEL.ERROR)
                 : createLoggerForFile(start, errorLogPath, "io.supertokens.storage.mysql.Error");
     }
 
@@ -154,12 +154,12 @@ public static void error(Start start, String message, boolean toConsoleAsWell, E
 
     private static void systemOut(String msg) {
         if (!Start.silent) {
-            System.out.println(msg);
+            System.out.println(Utils.maskDBPassword(msg));
         }
     }
 
     private static void systemErr(String err) {
-        System.err.println(err);
+        System.err.println(Utils.maskDBPassword(err));
     }
 
     public static void stopLogging(Start start) {
@@ -198,7 +198,7 @@ private Logger createLoggerForFile(Start start, String file, String name) {
         return logger;
     }
 
-    private Logger createLoggerForConsole(Start start, String name) {
+    private Logger createLoggerForConsole(Start start, String name, LOG_LEVEL logLevel) {
         Logger logger = (Logger) LoggerFactory.getLogger(name);
 
         // We don't need to add appender if it is already added
@@ -211,6 +211,7 @@ private Logger createLoggerForConsole(Start start, String name) {
         ple.setContext(lc);
         ple.start();
         ConsoleAppender<ILoggingEvent> logConsoleAppender = new ConsoleAppender<>();
+        logConsoleAppender.setTarget(logLevel == LOG_LEVEL.ERROR ? "System.err" : "System.out");
         logConsoleAppender.setEncoder(ple);
         logConsoleAppender.setContext(lc);
         logConsoleAppender.start();

src/main/java/io/supertokens/storage/mysql/utils/Utils.java

@@ -19,6 +19,8 @@
 
 import java.io.ByteArrayOutputStream;
 import java.io.PrintStream;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 public class Utils {
     public static String exceptionStacktraceToString(Exception e) {
@@ -39,4 +41,19 @@ public static String generateCommaSeperatedQuestionMarks(int size) {
         }
         return builder.toString();
     }
+
+    public static String maskDBPassword(String log) {
+        String regex = "(\\|db_pass\\|)(.*?)(\\|db_pass\\|)";
+
+        Matcher matcher = Pattern.compile(regex).matcher(log);
+        StringBuffer maskedLog = new StringBuffer();
+
+        while (matcher.find()) {
+            String maskedPassword = "*".repeat(8);
+            matcher.appendReplacement(maskedLog, "|" + maskedPassword + "|");
+        }
+
+        matcher.appendTail(maskedLog);
+        return maskedLog.toString();
+    }
 }